From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
roswest <roswest@cisco.com>
Subject: [PATCH 3.14 11/35] USB: validate wMaxPacketValue entries in endpoint descriptors
Date: Mon, 5 Sep 2016 18:43:12 +0200 [thread overview]
Message-ID: <20160905163959.160279362@linuxfoundation.org> (raw)
In-Reply-To: <20160905163958.687259537@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit aed9d65ac3278d4febd8665bd7db59ef53e825fe upstream.
Erroneous or malicious endpoint descriptors may have non-zero bits in
reserved positions, or out-of-bounds values. This patch helps prevent
these from causing problems by bounds-checking the wMaxPacketValue
entries in endpoint descriptors and capping the values at the maximum
allowed.
This issue was first discovered and tests were conducted by Jake Lamberson
<jake.lamberson1@gmail.com>, an intern working for Rosie Hall.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: roswest <roswest@cisco.com>
Tested-by: roswest <roswest@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 66 +++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 63 insertions(+), 3 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -143,6 +143,31 @@ static void usb_parse_ss_endpoint_compan
}
}
+static const unsigned short low_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 8,
+ [USB_ENDPOINT_XFER_ISOC] = 0,
+ [USB_ENDPOINT_XFER_BULK] = 0,
+ [USB_ENDPOINT_XFER_INT] = 8,
+};
+static const unsigned short full_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1023,
+ [USB_ENDPOINT_XFER_BULK] = 64,
+ [USB_ENDPOINT_XFER_INT] = 64,
+};
+static const unsigned short high_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 512,
+ [USB_ENDPOINT_XFER_INT] = 1023,
+};
+static const unsigned short super_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 512,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 1024,
+ [USB_ENDPOINT_XFER_INT] = 1024,
+};
+
static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
int asnum, struct usb_host_interface *ifp, int num_ep,
unsigned char *buffer, int size)
@@ -151,6 +176,8 @@ static int usb_parse_endpoint(struct dev
struct usb_endpoint_descriptor *d;
struct usb_host_endpoint *endpoint;
int n, i, j, retval;
+ unsigned int maxp;
+ const unsigned short *maxpacket_maxes;
d = (struct usb_endpoint_descriptor *) buffer;
buffer += d->bLength;
@@ -247,6 +274,42 @@ static int usb_parse_endpoint(struct dev
endpoint->desc.wMaxPacketSize = cpu_to_le16(8);
}
+ /* Validate the wMaxPacketSize field */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
+
+ /* Find the highest legal maxpacket size for this endpoint */
+ i = 0; /* additional transactions per microframe */
+ switch (to_usb_device(ddev)->speed) {
+ case USB_SPEED_LOW:
+ maxpacket_maxes = low_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_FULL:
+ maxpacket_maxes = full_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_HIGH:
+ /* Bits 12..11 are allowed only for HS periodic endpoints */
+ if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
+ i = maxp & (BIT(12) | BIT(11));
+ maxp &= ~i;
+ }
+ /* fallthrough */
+ default:
+ maxpacket_maxes = high_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_SUPER:
+ case USB_SPEED_SUPER_PLUS:
+ maxpacket_maxes = super_speed_maxpacket_maxes;
+ break;
+ }
+ j = maxpacket_maxes[usb_endpoint_type(&endpoint->desc)];
+
+ if (maxp > j) {
+ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid maxpacket %d, setting to %d\n",
+ cfgno, inum, asnum, d->bEndpointAddress, maxp, j);
+ maxp = j;
+ endpoint->desc.wMaxPacketSize = cpu_to_le16(i | maxp);
+ }
+
/*
* Some buggy high speed devices have bulk endpoints using
* maxpacket sizes other than 512. High speed HCDs may not
@@ -254,9 +317,6 @@ static int usb_parse_endpoint(struct dev
*/
if (to_usb_device(ddev)->speed == USB_SPEED_HIGH
&& usb_endpoint_xfer_bulk(d)) {
- unsigned maxp;
-
- maxp = usb_endpoint_maxp(&endpoint->desc) & 0x07ff;
if (maxp != 512)
dev_warn(ddev, "config %d interface %d altsetting %d "
"bulk endpoint 0x%X has invalid maxpacket %d\n",
next prev parent reply other threads:[~2016-09-05 16:43 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160905164355uscas1p23be7d550cc36b000adafac040c654cce@uscas1p2.samsung.com>
2016-09-05 16:43 ` [PATCH 3.14 00/35] 3.14.78-stable review Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 01/35] x86/mm: Disable preemption during CR3 read+write Greg Kroah-Hartman
2016-09-05 16:43 ` Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 02/35] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Greg Kroah-Hartman
2016-09-05 16:43 ` Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 03/35] parisc: Fix order of EREFUSED define in errno.h Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 04/35] PCI: Support PCIe devices with short cfg_size Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 05/35] PCI: Add Netronome vendor and device IDs Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 06/35] PCI: Limit config space size for Netronome NFP6000 family Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 07/35] PCI: Add Netronome NFP4000 PF device ID Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 08/35] PCI: Limit config space size for Netronome NFP4000 Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 09/35] usb: dwc3: gadget: increment request->actual once Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 10/35] usb: define USB_SPEED_SUPER_PLUS speed for SuperSpeedPlus USB3.1 devices Greg Kroah-Hartman
2016-09-05 16:43 ` Greg Kroah-Hartman [this message]
2016-09-05 16:43 ` [PATCH 3.14 12/35] usb: xhci: Fix panic if disconnect Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 13/35] USB: serial: fix memleak in driver-registration error path Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 14/35] USB: serial: option: add D-Link DWM-156/A3 Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 15/35] USB: serial: option: add support for Telit LE920A4 Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 16/35] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 18/35] xhci: Make sure xhci handles USB_SPEED_SUPER_PLUS devices Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 19/35] EDAC: Increment correct counter in edac_inc_ue_error() Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 20/35] s390/dasd: fix hanging device after clear subchannel Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 21/35] mac80211: fix purging multicast PS buffer queue Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 22/35] aacraid: Check size values after double-fetch from user Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 23/35] cdc-acm: fix wrong pipe type on rx interrupt xfers Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 24/35] megaraid_sas: Fix probing cards without io port Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 25/35] gpio: Fix OF build problem on UM Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 26/35] fs/seq_file: fix out-of-bounds read Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 27/35] Input: tegra-kbc - fix inverted reset logic Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 28/35] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 29/35] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 30/35] crypto: nx - off by one bug in nx_of_update_msc() Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 31/35] USB: fix typo in wMaxPacketSize validation Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 32/35] USB: serial: mos7720: fix non-atomic allocation in write path Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 33/35] USB: serial: mos7840: " Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 34/35] staging: comedi: daqboard2000: bug fix board type matching code Greg Kroah-Hartman
2016-09-05 16:43 ` [PATCH 3.14 35/35] ACPI / sysfs: fix error code in get_status() Greg Kroah-Hartman
2016-09-06 17:02 ` [PATCH 3.14 00/35] 3.14.78-stable review Guenter Roeck
2016-09-06 18:03 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160905163959.160279362@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roswest@cisco.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.